Quantum entity authentication apparatus and method

ABSTRACT

A quantum entity authentication apparatus and method. The quantum entity authentication apparatus includes a quantum state preparation unit for preparing an authentication quantum state that is generated based on an authentication key previously shared with an entity, a quantum channel verification unit for transmitting a quantum state, generated by performing an operation using a prestored unique operator on the authentication quantum state, to a quantum measurement device, and for verifying security of a quantum channel by using a result of Bell measurement and the authentication quantum state, the result of Bell measurement being revealed by the quantum measurement device for the quantum state, and a quantum entity authentication unit for, when the security of the quantum channel is verified, authenticating the entity using the result of the Bell measurement and the unique operator.

CROSS REFERENCE TO RELATED APPLICATION

This application claims the benefit of Korean Patent Application No. 10-2020-0022326, filed Feb. 24, 2020, which is hereby incorporated by reference in its entirety into this application.

BACKGROUND OF THE INVENTION 1. Technical Field

The present invention relates generally to quantum entity authentication technology, and more particularly, to measurement-device-independent quantum entity authentication technology.

2. Description of Related Art

It has been proven that, of quantum cryptography communication techniques, a Quantum Key Distribution (QKD) technique theoretically provides unconditional security regardless of computability of an attacker. However, in spite of the QKD technique, the security of which has been proven, there is the possibility that theoretical unconditional security will be damaged in actual implementation of the technique due to the incompleteness of implemented devices. However, it has been also proven that QKD implemented using incomplete devices can provide complete security.

However, it is known that QKD is vulnerable to side-channel attacks using the incompleteness of devices implementing the QKD. As one solution to overcome such vulnerability, technology, such as “measurement-device-independent quantum key distribution (MDI-QKD)” showing that security is not based on the completeness of a measurement device, has been proposed and security thereof has been proven.

Since the security of MDI-QKD designed to be secure against side-channel attacks, as in the case of a basic QKD technique, assumes entity authentication, authentication is essentially required. Therefore, highly-compatible quantum entity authentication technology available for MDI-QKD is required.

Meanwhile, Korean Patent No. 10-2028098 entitled “Apparatus and Method for Authenticating using Quantum Cryptography Communication” discloses an apparatus and method for performing authentication by comparing a quantum state with a sifted key between quantum cryptography communication devices.

SUMMARY OF THE INVENTION

Accordingly, the present invention has been made keeping in mind the above problems occurring in the prior art, and an object of the present invention is to guarantee the security of quantum entity authentication even if a measurement device is exposed to an attacker or the measurement device is not trusted.

Another object of the present invention is to provide quantum entity authentication secure against a side-channel attack on a measurement device.

A further object of the present invention is to provide authentication service to MDI-QKD based on high compatibility with MDI-QKD.

In accordance with an aspect of the present invention to accomplish the above objects, there is provided a quantum entity authentication apparatus, including a quantum state preparation unit for preparing an authentication quantum state that is generated based on an authentication key previously shared with an entity; a quantum channel verification unit for transmitting information about a prestored unique operator to a corresponding entity, and for verifying security of a quantum channel by using a result of Bell measurement and the authentication quantum state, the result of the Bell measurement being revealed by the quantum measurement device; and a quantum entity authentication unit for, when the security of the quantum channel is verified, authenticating the entity using the result of the Bell measurement and the unique operator.

The quantum state preparation unit may separate the authentication quantum state into a verification state for verifying the security of the quantum channel and an authentication state for authenticating the entity.

The quantum channel verification unit may verify the security of the quantum channel depending on whether a quantum state, generated by performing the operation using the unique operator on the verification state, and a quantum state of the entity match the result of the Bell measurement.

The quantum entity authentication unit may authenticate the entity depending on whether a quantum state, generated by performing the operation using the unique operator on the authentication state, and the quantum state of the entity match the result of the Bell measurement.

The verification state may be configured such that an operation in which a Hadamard operator is included in the unique operator is performed on the verification state.

The quantum measurement device may reveal a result of Bell measurement by a detector reacting to an input quantum state, among multiple detectors, using a polarization beam splitter that receives the input quantum state.

The quantum measurement device may be configured to, when two quantum states are input, decompose the two quantum states into four Bell states, and reveal the result of the Bell measurement from which coincidence measurement events in any one detector are excluded.

The quantum channel verification unit may receive a location of the verification state from the entity and transmit information about a unique operator used to perform an operation at the location of the verification state to the entity.

The quantum entity authentication unit may receive a location of the authentication state from the entity and transmit information about the unique operator used to perform an operation at the location of the authentication state to the entity.

The entity may authenticate an additional entity that requests authentication based on the quantum state of the entity, the unique operator used to perform the operation at the location of the authentication state, the result of the Bell measurement, and the previously shared authentication key.

In accordance with another aspect of the present invention to accomplish the above objects, there is provided a quantum entity authentication method performed by a quantum entity authentication apparatus, including preparing an authentication quantum state that is generated based on an authentication key previously shared with an entity; transmitting information about a prestored unique operator to a corresponding entity, and verifying security of a quantum channel by using a result of Bell measurement and the authentication quantum state, the result of the Bell measurement being revealed by the quantum measurement device; and when the security of the quantum channel is verified, authenticating the entity using the result of the Bell measurement and the unique operator.

Preparing the authentication quantum state may be configured to separate the authentication quantum state into a verification state for verifying the security of the quantum channel and an authentication state for authenticating the entity.

Verifying the security of the quantum channel may be configured to verify the security of the quantum channel depending on whether a quantum state, generated by performing the operation using the unique operator on the verification state, and a quantum state of the entity match the result of the Bell measurement.

Authenticating the entity may be configured to authenticate the entity depending on whether a quantum state, generated by performing the operation using the unique operator on the authentication state, and the quantum state of the entity match the result of the Bell measurement.

The verification state may be configured such that an operation in which a Hadamard operator is included in the unique operator is performed on the verification state.

Verifying the security of the quantum channel may be configured such that the quantum measurement device reveals a result of Bell measurement by a detector reacting to an input quantum state, among multiple detectors, using a polarization beam splitter that receives the input quantum state.

Verifying the security of the quantum channel may be configured such that, when two quantum states are input, the quantum measurement device decomposes the two quantum states into four Bell states, and reveals the result of the Bell measurement from which coincidence measurement events in any one detector are excluded.

Verifying the security of the quantum channel may be configured to receive a location of the verification state from the entity and transmit information about a unique operator used to perform an operation at the location of the verification state to the entity.

Authenticating the entity may be configured to receive a location of the authentication state from the entity and transmit information about the unique operator used to perform an operation at the location of the authentication state to the entity.

Authenticating the entity may be configured such that the entity authenticates an additional entity that requests authentication based on the quantum state of the entity, the unique operator used to perform the operation at the location of the authentication state, the result of the Bell measurement, and the previously shared authentication key.

Authenticating the entity may be configured to, in a case where a basis of the authentication state is a predefined first basis, if the entity and the additional entity have an identical authentication state and a pair of normal measurement results is derived as the result of the Bell measurement, determine that the additional entity is intervention of an attacker.

Authenticating the entity may be configured to, if the entity and the additional entity have different authentication states and a coincidence measurement event occurs, compare dark count rates and then authenticate the additional entity.

Authenticating the entity may be configured to, in a case where a basis of the authentication state is a predetermined second basis, separate the result of the Bell measurement depending on whether the entity and the additional entity have an identical authentication state, and then authenticate the additional entity.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects, features and advantages of the present invention will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:

FIG. 1 is a diagram illustrating a quantum entity authentication system according to an embodiment of the present invention;

FIG. 2 is a diagram illustrating a quantum measurement device according to an embodiment of the present invention;

FIG. 3 is a diagram illustrating in detail a beam splitting unit illustrated in FIG. 2;

FIG. 4 is a diagram illustrating a quantum entity authentication structure according to an embodiment of the present invention;

FIG. 5 is a block diagram illustrating a quantum entity authentication apparatus according to an embodiment of the present invention;

FIG. 6 is an operation flowchart illustrating a quantum entity authentication method according to an embodiment of the present invention; and

FIG. 7 is a diagram illustrating a computer system according to an embodiment of the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention will be described in detail below with reference to the accompanying drawings. Repeated descriptions and descriptions of known functions and configurations which have been deemed to make the gist of the present invention unnecessarily obscure will be omitted below. The embodiments of the present invention are intended to fully describe the present invention to a person having ordinary knowledge in the art to which the present invention pertains. Accordingly, the shapes, sizes, etc. of components in the drawings may be exaggerated to make the description clearer.

In the present specification, it should be understood that terms such as “include” or “have” are merely intended to indicate that features, numbers, steps, operations, components, parts, or combinations thereof are present, and are not intended to exclude the possibility that one or more other features, numbers, steps, operations, components, parts, or combinations thereof will be present or added.

Hereinafter, embodiments of the present invention will be described in detail with reference to the attached drawings.

FIG. 1 is a diagram illustrating a quantum entity authentication system according to an embodiment of the present invention. FIG. 2 is a diagram illustrating a quantum measurement device according to an embodiment of the present invention. FIG. 3 is a diagram illustrating in detail a beam splitting unit illustrated in FIG. 2. FIG. 4 is a diagram illustrating a quantum entity authentication structure according to an embodiment of the present invention.

Referring to FIG. 1, the quantum entity authentication system is illustrated.

Here, the quantum entity authentication system allows multiple entities 10 and 20 to authenticate each other based on information revealed by a quantum measurement device 100, regardless of the quantum measurement device.

As illustrated in FIG. 1, it can be seen that the entity 10 is indicated by Alice, the entity 20 is indicated by Bob, and the quantum measurement device 100 is indicated by Charlie.

The entities 10 and 20 may perform authentication therebetween according to an embodiment of the present invention.

Referring to FIG. 2, the quantum measurement device 100 according to an embodiment of the present invention may include a beam splitting unit 110, a first polarization beam splitting unit 120, and a second polarization beam splitting unit 130.

The beam splitting unit 110 may correspond to a beam splitter (BS), which may be defined as an operator U_(BS) in association with the optical path of FIG. 3, and may be represented by the following Equation (1):

$\begin{matrix} {U_{BC} = {\frac{1}{\sqrt{2}}\left\{ {\left. a \right\rangle\left\langle {d{{+ i}}a} \right\rangle\left\langle {c{ + }b} \right\rangle\left\langle {c{{+ i}}b} \right\rangle\left\langle d \right.} \right\}}} & (1) \end{matrix}$

Each of Polarization Beam Splitter 1 (PBS1), which is the first polarization beam splitting unit 120, and PBS2, which is the second polarization beam splitting unit 130, may transmit or reflect light depending on a quantum state input to the corresponding polarization beam splitter (PBS).

That is, when the input quantum state is a first quantum state (H

, the PBS may transmit light, whereas, when the quantum state is a second quantum state IV

, the PBS may reflect the light.

For example, when the quantum state input to the first polarization beam splitting unit 120 of FIG. 2 is |H

, a detector D₁ 121 may react to the quantum state.

When two photons are simultaneously input to two different paths a and b connected to BS, with one photon for each path, the detectors 121, 122, 131, and 132 of FIG. 2 may perform Bell state measurement for distinguishing quantum entangled states.

For example as illustrated in FIG. 3, the case where one of four representative Bell states, among quantum entangled states, that is,

${\left. \Psi^{-} \right\rangle = {\frac{1}{\sqrt{2}}\left( {{a_{1}^{+}b_{1}^{+}} + {a_{2}^{+}b_{2}^{+}}} \right)\left. 0 \right\rangle}},$

is input to the beam splitting unit 110 will be described.

The beam splitting unit 110 may split a path for the Bell states through the operation of U_(BS) in Equation (1).

The detectors D₁, D₂, D₃, and D₄ may react to the Bell states split from the polarization beam splitting units 120 and 130. All of the Bell states may be represented by the following Equation (2):

$\begin{matrix} {{U_{BS}\left. \Psi^{-} \right\rangle} = {{U_{BS}\left\lbrack {\frac{1}{\sqrt{2}}\left( {{a_{1}^{+}b_{1}^{+}} + {a_{2}^{+}b_{2}^{+}}} \right)\left. 0 \right\rangle} \right\rbrack} = {{{U_{BS}\left\lbrack {{\left( {{i\; c_{1}^{+}} + d_{1}^{+}} \right)\left( \;{c_{1}^{+} + {i\; d_{1}^{+}}} \right)} + {\left( {{i\; c_{2}^{+}} + d_{2}^{+}} \right)\left( \;{c_{2}^{+} + {i\; d_{2}^{+}}} \right)}} \right\rbrack}\left. 0 \right\rangle} = {\frac{1}{2}{i\left\lbrack {{c_{1}^{+}c_{1}^{+}} + {d_{1}^{+}d_{1}^{+}} + {c_{2}^{+}c_{2}^{+}} + {d_{2}^{+}d_{2}^{+}}} \right\rbrack}\left. 0 \right\rangle}}}} & (2) \end{matrix}$

According to Equation (2), it can be seen that the probability of two clicks on the detector D₁ coincidently occurring, the probability of two clicks on the detector D₂ coincidently occurring, the probability of two clicks on the detector D₃ coincidently occurring, and the probability of two clicks on the detector D₄ coincidently occurring are equal to each other.

Here, the case where a click on one detector coincidently occurs may be regarded as “coincidence measurement event”. Since the coincidence measurement event may occur in association with an external attack or an abnormality in the corresponding detector, the results of such an event may be regarded as measurement results to be discarded in MDI-QKD. Since the coincidence measurement event cannot be distinguished from single-photon measurement and a dark count indicating detector error, it may be regarded as an event to be discarded in MDI-QKD.

The results of analysis of the remaining Bell states may be represented by the following Equations (3) to (5):

$\begin{matrix} {{U_{BS}\left. \Psi^{-} \right\rangle} = {{U_{BS}\left\lbrack {\frac{1}{\sqrt{2}}\left( {{a_{1}^{+}b_{1}^{+}} - {a_{2}^{+}b_{2}^{+}}} \right)\left. 0 \right\rangle} \right\rbrack} = {\frac{1}{2}{i\left\lbrack {{c_{1}^{+}c_{1}^{+}} + {d_{1}^{+}d_{1}^{+}} - {c_{2}^{+}c_{2}^{+}} - {d_{2}^{+}d_{2}^{+}}} \right\rbrack}\left. 0 \right\rangle}}} & (3) \\ {\mspace{79mu}{{U_{BS}\left. \Psi^{+} \right\rangle} = {{U_{BS}\left\lbrack {\frac{1}{\sqrt{2}}\left( {{a_{1}^{+}b_{2}^{+}} + {a_{2}^{+}b_{1}^{+}}} \right)\left. 0 \right\rangle} \right\rbrack} = {\frac{1}{\sqrt{2}}{i\left\lbrack {{c_{1}^{+}c_{2}^{+}} + {d_{1}^{+}d_{2}^{+}}} \right\rbrack}\left. 0 \right\rangle}}}} & (4) \\ {\mspace{85mu}{{U_{BS}\left. \Psi^{-} \right\rangle} = {{U_{BS}\left\lbrack {\frac{1}{\sqrt{2}}\left( {{a_{1}^{+}b_{2}^{+}} - {a_{2}^{+}b_{1}^{+}}} \right)\left. 0 \right\rangle} \right\rbrack} = {\frac{1}{\sqrt{2}}{i\left\lbrack {{c_{2}^{+}d_{1}^{+}} - {c_{1}^{+}d_{2}^{+}}} \right\rbrack}\left. 0 \right\rangle}}}} & (5) \end{matrix}$

The states |Φ⁺

and |Φ⁻

cannot be used as signals because the reactions of detectors are identical to each other and the states are configured using only coincidence measurement events. In contrast, the states |Ψ⁺

and |Ψ⁻

can be distinguished from each other because two individual detectors react to the states at the same time without causing a coincidence measurement event, and pairs of reactions of detectors to the states differ from each other.

The relationships between Bell states and the detectors may be summarized as shown in the following Table 1.

Table 1 illustrates the relationships between Bell states and detector operations.

Referring to Table 1, it can be seen that D_(i)D_(i) denotes a coincidence measurement event and is a measurement event to be discarded in MDI-QKD. Here, i={1,2,3,4}. Therefore, in MDI-QKD, only the Bell states |Ψ⁺

and |Ψ⁻

may be used as quantum states for key generation.

TABLE 1 Detector operation Bell state (“,” means ‘or’) |Φ⁺> D₁D₁, D₂D₂, D₃D₃, D₄D₄ |Φ⁻> |Ψ⁺> D₁D₂, D₃D₄ |Ψ⁻> D₁D₃, D₂D₄

Referring to Table 1, in σ_(z)-basis {|0>, |1>} which is a first basis, when Alice and Bob prepare the same state, a key cannot be shared. The key may be shared only when states orthogonal to each other (different states) are prepared.

When σ_(x)-basis {|+>, |−>} which is a second basis is analyzed in the above manner, a key may be shared even in the same state in addition to the orthogonal states, but a discarded event (i.e., a coincidence measurement event) may be present at a probability of 2/3.

The quantum entity authentication system may include Charlie, who performs only measurements and reveals the results of measurements, in addition to legitimate users Alice and Bob. Charlie is not a legitimate user and may be even an attacker, but Charlie should not falsify the measurement results. An authentication key, such as that shown in Equation (6), may be shared between legitimate users.

Ak=(Ak ₁ ,Ak ₂ , . . . ,Ak _(n)). Ak _(i)∈{00·01·10·11}  (6)

That is, the length of Ak may be 2n bits. Depending on the value of Ak_(i), the authentication quantum states |AQ> generated by Alice and Bob |AQ> may be represented, as shown in Table 2.

Table 2 shows authentication quantum states generated depending on the authentication key.

TABLE 2 Ak_(i) 00 01 10 11 |AQ>_(i) |0> |1> |+> |−>

Referring to FIG. 4, Alice 10 according to an embodiment of the present invention may perform entity authentication on Bob 20.

Alice and Bob may prepare authentication quantum states |AQ> associated with the value of Ak based on the rule of Table 2.

Bob may transmit the generated authentication quantum states to Charlie.

Before transmitting the authentication quantum states to Charlie Alice may select a unique operator N of Alice, such as that shown in Equation (7), and may transmit a quantum state, generated by applying the unique operator to the authentication quantum states, to Charlie that is the quantum measurement device 100.

$\begin{matrix} {\mspace{79mu}{N_{i} \in \left\{ {I,{i\text{?}},H} \right\}}} & (7) \\ {\text{?}\text{indicates text missing or illegible when filed}} & \; \end{matrix}$

The unique operator N may be secret information of Alice.

Alice may perform an operation using the unique operator by separating a verification location at which the security of a quantum channel is to be tested and an authentication location at which a quantum state is to be used as an authentication signal when the operation using the unique operator is performed.

Alice may randomly select a verification state and an authentication state from among the authentication quantum states. A component ratio of the verification states and the authentication states may be determined in association with the performance of a quantum channel. Unlike in the verification states, in the authentication states, a Hadamard operator H, among unique operators, may not be performed. Here, H may provide the effect of mutually converting σ_(z)-basis and σ_(x)-basis. A matrix representation of H and the relationships between H and quantum states may be represented by the following Equations (8) and (9).

$\begin{matrix} {H = {\frac{1}{\sqrt{2}}\begin{pmatrix} 1 & 1 \\ 1 & {- 1} \end{pmatrix}}} & (8) \\ {{{H\left. 0 \right\rangle} = \left.  + \right\rangle}{{H\left. 1 \right\rangle} = \left.  - \right\rangle}{{H\left.  + \right\rangle} = \left. 0 \right\rangle}{{H\left.  - \right\rangle} = \left. 1 \right\rangle}} & (9) \end{matrix}$

The unique operator in Equation (7) may be randomly applied to the verification states.

Charlie may perform Bell measurement using the Bell state measurement structure of FIG. 2, and may reveal the results of the Bell measurement.

Alice may determine whether the verification locations of the verification states satisfy the relational expression of Table 3 so as to verify the security of the quantum channel. If it is determined that the quantum channel is secure as a result of the determination, the process may proceed to a subsequent step, whereas if it is determined that the quantum channel is not secure, authentication quantum states may be newly prepared, and then a quantum channel may be reset.

Alice may authenticate Bob based on the relationship of Table 3 using the results of measurement by Charlie and information about the unique operator N selected and applied by Alice. (D_(i),D_(i)) denotes a coincidence measurement event, and may be a measurement event to be discarded in MDI-QKD.

TABLE 3 Quantum state of Alice* and Bob before measurement (*the quantum state of Alice is a state after the unique operator has been applied) Detector measurement results (|0>, |0>) (D₁, D₁)(D₄, D₄) (|1>, |1>) (D₂, D₂)(D₃, D₃) (|0>, |1>), (|1>, |0>) (D₁, D₂)(D₃, D₄)(D₁, D₄)(D₂, D₄) (|+>, |−>), (|−>, |+>) (D₁, D₁)(D₂, D₂)(D₃, D₃)(D₄, D₄) (D₁, D₃)(D₂, D₄) (|+>, |+>), (|−>, |−>) (D₁, D₁)(D₂, D₂)(D₃, D₃)(D₄, D₄) (D₁, D₂)(D₃, D₄) (|+, |0>), (|0>, |+>) (|−>, |0>), (D₁, D₁)(D₄, D₄) (|0>, |−>) (D₁, D₂)(D₃, D₄)(D₁, D₃)(D₂, D₄) (|+>, |1>), (|1>, |+>) (|−>, |1>), (D₂, D₂)(D₃, D₃) (|1>, |−>) (D₁, D₂)(D₃, D₄)(D₁, D₃)(D₂, D₄)

In this case, Bob 20, who is an entity according to an embodiment of the present invention, may perform entity authentication on Alice 10, who is an another entity.

Bob 20 may have the same structure as Alice 10, and may perform the same function as Alice 10.

Alice 10 may prepare the authentication quantum states |AQ> depending on the value of Ak.

Bob may prepare the authentication quantum states by separating a verification state for verifying the security of the quantum channel and an authentication state for authentication. The verification state may be configured by randomly selecting one from among {|0>, |1>, |+>, |−>} without association with |AQ>. In the authentication state, a quantum state may be randomly prepared, with a basis being maintained. That is, when Ak_(i) is 00 (or 01), the quantum state |AQ>, prepared by Bob, may be one of |0> and |1>. When Ak_(i) is 10 (or 11), the quantum state |AQ>, prepared by Bob, may be one of |+> and |−>.

In detail, examples of the state prepared by Alice and Bob may be shown in the following Table 4.

TABLE 4 Ak 01 10 11 00 11 00 01 11 10 01 00 01 10 11 State prepared by Alice (before |1> |+> |−> |0> |−> |0> |1> |−> |+> |1> |0> |1> |+> |−> application of unique operator) State prepared by Bob |1> |−> |−> |+> |−> |1> |0> |1> |+> |0> |0> |1> |0> |+>

Alice may prepare the quantum state depending on Ak.

Bob may randomly configure a quantum state within the same basis based on Ak with respect to authentication states other than the verification state, and may configure a quantum state by randomly selecting one from among {|0>, |1>, |+>, |−>} regardless of the basis, with respect to the verification state.

Alice may configure the authentication state from the authentication quantum states and randomly selects a unique operator N′, such as that shown in Equation (10). Then Alice may apply the selected unique operator to the authentication states.

N′={I,iσ _(u)}  (10)

From the authentication quantum states, the verification state may be configured by randomly selecting the unique operator N, such as that shown in Equation (7), and applying the selected unique operator to the authentication quantum states.

Alice may transmit the quantum state to which the unique operator has been applied to Charlie.

Charlie may perform Bell measurement on the quantum states received from Alice and Bob, and may reveal the results of the Bell measurement.

Bob may notify Alice of the location of the verification state, request Alice to reveal the unique operator N used to perform the operation at the corresponding location, and receive information about the unique operator N from Alice.

Bob may test the security of the corresponding channel by checking whether the results of measurement revealed by Charlie, the unique operator N revealed by Alice, and the quantum state transmitted by Bob to Charlie are associated with each other with reference to Table 3.

Bob may proceed to a subsequent step if it is determined that the quantum channel is secure, otherwise Bob may reprepare authentication quantum states and reset a quantum channel.

Bob may request Alice to reveal the unique operator N′ for the authentication states (i.e., states other than the previously revealed verification state), and may acquire information about the unique operator N′ from Alice.

Bob may authenticate Alice by comparing the states prepared by Bob, N′ revealed by Alice for the authentication states, the results of Bell measurement revealed by Charlie, and the previously shared authentication key Ak and then checking whether the relationships of Table 3 are satisfied.

FIG. 5 is a block diagram illustrating a quantum entity authentication apparatus according to an embodiment of the present invention.

Referring to FIG. 5, Alice 10 according to an embodiment of the present invention includes a quantum state preparation unit 11, a quantum channel verification unit 12, and a quantum entity authentication unit 13.

The quantum state preparation unit 11 may prepare authentication quantum states that are generated based on an authentication key previously shared with an entity.

Here, the quantum state preparation unit 11 may separate the authentication quantum states into a verification state for verifying the security of a quantum channel and an authentication state for authenticating the entity.

The quantum channel verification unit 12 may transmit a quantum state, generated by performing an operation using a prestored unique operator on the authentication quantum states, to a quantum measurement device, and may verify the security of the quantum channel by using the results of Bell measurement, revealed by the quantum measurement device for the quantum state, and the authentication quantum states.

In detail, the quantum channel verification unit 12 may verify the security of the quantum channel depending on whether the quantum state, generated by performing the operation using the unique operator on the verification state, and the quantum state of the entity match the results of the Bell measurement.

Here, the verification state may be obtained by performing an operation using an operator in which a Hadamard operator is included in the unique operator.

The quantum measurement device 100 may reveal the results of Bell measurement by a detector reacting to the input quantum state, among multiple detectors, using a polarization beam splitter which receives the input quantum state.

Here, when two quantum states are input, the quantum measurement device 100 may decompose the two quantum states into four Bell states, and may reveal the Bell measurement results from which coincidence measurement events in any one detector are excluded.

The quantum channel verification unit 12 may receive the location of the verification state from the entity, and may transmit information about the unique operator used to perform the operation at the location of the verification state to the entity.

When the security of the quantum channel is verified, the quantum entity authentication unit 13 may authenticate the entity using the results of the Bell measurement and the unique operator.

Here, the quantum entity authentication unit 13 may authenticate the entity depending on whether a quantum state, generated by performing an operation using the unique operator on the authentication state, and the quantum state of the entity match the results of the Bell measurement.

The quantum entity authentication unit 13 may receive the location of the authentication state from the entity, and may transmit information about the unique operator used to perform the operation at the location of the authentication state to the entity.

The corresponding entity may authenticate an additional entity that has requested authentication using the quantum state of the entity, the unique operator used for the operation at the location of the authentication state, the results of the Bell measurement, and the previously shared authentication key.

When the basis of the authentication state is a predefined first basis, if the authentication states of the corresponding entity and the additional entity are identical to each other, and a pair of normal measurement results is derived as the results of the Bell measurement, the quantum entity authentication unit 13 may determine that the additional entity is the intervention of an attacker.

Further, when the authentication states of the corresponding entity and the additional entity are different from each other and a coincidence measurement event has occurred, the quantum entity authentication unit 13 may authenticate the additional entity by comparing dark count rates.

Here, when the basis of the authentication state is a predefined second basis, the quantum entity authentication unit 13 may authenticate the additional entity by separating the results of the Bell measurement depending on whether the authentication states of the entity and the additional entity are identical to each other.

FIG. 6 is an operation flowchart illustrating a quantum entity authentication method according to an embodiment of the present invention.

Referring to FIG. 6, the quantum entity authentication method according to the embodiment of the present invention may prepare quantum states at step S210.

That is, at step S210, authentication quantum states that are generated based on an authentication key previously shared with an entity and may be prepared.

At step S210, the authentication quantum states may be separated into a verification state for verifying the security of a quantum channel and an authentication state for authenticating the entity.

Here, among the authentication quantum states, the authentication state may be obtained by performing an operation using a unique operator N′.

Among the authentication quantum states, the verification state may be obtained by performing an operation using an operator N in which a Hadamard operator is included in the unique operator.

Next, the quantum entity authentication method according to an embodiment of the present invention may verify the quantum channel at step S220.

In detail, at step S220, a quantum state, generated by performing an operation using a prestored unique operator on the authentication quantum states, may be transmitted to a quantum measurement device, and the security of the quantum channel may be verified by using the results of the Bell measurement revealed by the quantum measurement device for the quantum state, the authentication quantum states, and the unique operator.

Here, at step S220, the security of the quantum channel may be verified depending on whether the quantum state, generated by performing the operation using the unique operator on the verification state, and the quantum state of the entity match the results of the Bell measurement.

Here, at step S220, the quantum measurement device 100 may reveal the results of Bell measurement by a detector which reacts to the input quantum state, among multiple detectors, using a polarization beam splitter which receives the input quantum state.

Here, at step S220, when two quantum states are input to the quantum measurement device 100, the two quantum states may be decomposed into four Bell states, and thus the Bell measurement results from which coincidence measurement events are excluded may be revealed.

Further, at step S220, the location of the verification state may be received from the entity, and information about the unique operator used to perform the operation at the location of the verification state may be transmitted to the entity.

Next, the quantum entity authentication method according to the embodiment of the present invention may authenticate the entity at step S230.

That is, at step S230, when the security of the quantum channel is verified, the entity may be authenticated using the results of the Bell measurement and the unique operator.

Here, at step S230, the entity may be authenticated depending on whether a quantum state, generated by performing an operation using the unique operator on the authentication state, and the quantum state of the entity match the results of the Bell measurement.

Here, at step S230, the location of the authentication state may be received from the entity, and information about the unique operator used to perform the operation at the location of the authentication state may be transmitted to the entity.

At step S230, the corresponding entity may authenticate an additional entity that has requested authentication using the quantum state of the entity, the unique operator used for the operation at the location of the authentication state, the results of the Bell measurement, and the previously shared authentication key.

At step S230, when the basis of the authentication state is a predefined first basis, if the authentication states of the corresponding entity and the additional entity are identical to each other, and a pair of normal measurement results is derived as the results of the Bell measurement, it may be determined that the additional entity is the intervention of an attacker.

Here, at step S230, when the authentication states of the corresponding entity and the additional entity are different from each other and a coincidence measurement event has occurred, the additional entity may be authenticated by comparing dark count rates.

Further, at step S230, when the basis of the authentication state is a predefined second basis, the additional entity may be authenticated by separating the results of the Bell measurement depending on whether the authentication states of the entity and the additional entity are identical to each other.

Below, an example in which the quantum entity authentication apparatus according to the embodiment of the present invention and an entity authenticate an additional entity will be described.

First, an example in which Alice 10 according to an embodiment of the present invention performs entity authentication on Bob 20 will be described.

Assuming that an authentication key is Ak_(i)=10, Alice and Bob may prepare quantum states |AQ>_(i) ^(A)=|+> and |AQ>_(i) ^(B)=|+>, respectively, depending on Ak_(i). The superscripts of A and B indicate states prepared by Alice and Bob, respectively.

In this case, Alice selects a unique operator N′=iσ_(y) and performs an operation using the unique operator, as represented by the following Equation (11):

N _(i) |AQ> _(i) ^(B) =|−>=|AQ> _(i) ^(B′)  (11)

At this time, Alice may transmit a quantum state obtained by performing the operation using the unique operator to Charlie.

Here, it can be seen that the quantum states received by Charlie are quantum states |AQ>_(i) ^(A)=|+> and |AQ>_(i) ^(B′)=|−>. Therefore, referring to Table 3, the results of measurement by Charlie may be one of {(D₁, D₁) (D₂,D₂) (D₃,D₃) (D₄,D₄) (D₁, D₃) (D₂,D₄)), but, in practice, the measurement results may be one of (D₁, D₃) (D₂,D₄)} with the exception of coincidence measurement events. The probability of a coincidence measurement event occurring (the probability of failure in measurement) may be 50%, and (D₁, D₃) or (D₂, D₄) may appear at the probability of the remaining 50%. This may be summarized, as shown in the following Table 5.

TABLE 5 Input quantum Results of measurement Probability states of Possible measurement indicating success in of success in Alice and Bob results of Charlie authentication authentication (|0>, |0>) (D₁, D₁)(D₄, D₄) — — (|1>, |1>) (D₂, D₂)(D₃, D₃) — — (|0>, |1>), (|1>, |0>) (D₁, D₂)(D₃, D₄) (D₁, D₂)(D₃, D₄) 100%  (D₁, D₃)(D₂, D₄) (D₁, D₃)(D₂, D₄) (|+>, |+>), (|−>, |−>) (D₁, D₁)(D₂, D₂) (D₁, D₂)(D₃, D₄) 50% (D₃, D₃)(D₄, D₄) (D₁, D₂)(D₃, D₄) (|+>, |−>), (|−>, |+>) (D₁, D₁)(D₂, D₂) (D₁, D₃)(D₂, D₄) 50% (D₃, D₃)(D₄, D₄) (D₁, D₃)(D₂, D₄)

When the input states of Alice and Bob are (|0>, |0>) or (|1>, |1>), only coincidence measurement events must occur. Accordingly, when the results of measurement, such as (D₁, D₂). (D₃, D₄), (D₁, D₃), or (D₂,D₄), appear, it may be determined that there is an authentication attempt made by a middle attacker or an illegitimate user. Referring to Table 5, it can be seen that, when input states are equivalently distributed, the total probability of success in authentication is 50%.

Next, an example in which Bob 20, who is an entity according to an embodiment of the present invention, performs entity authentication on Alice 10, who is an additional entity, will be described.

For example, it may be assumed that the value of an authentication key Ak_(j) at location j of an authentication state is “00”, and the authentication state prepared by Bob depending on the value of the authentication key is |0>.

At this time, Alice may prepare |0> depending on Ak_(j) and perform an operation using a unique operator N′=iσ_(y) on the authentication state prepared by Alice, and may then transmit |1> to Charlie.

In this case, when the result of measurement by Charlie is (D₃, D₄), Bob may request Alice to reveal the unique operator N′ at the location of the authentication state.

Then, Bob may check whether the unique operator revealed by Alice satisfies the associative relationship, such as that shown in Table 5, together with the results of measurement by Charlie, the value of the authentication key Ak_(j), and the initial state prepared by Bob, and may then authenticate Alice.

Since (D₃, D₄) revealed by Charlie and the unique operator N′=iσ_(y) revealed by Alice satisfy the relationship of Table 5, Bob may successfully perform entity authentication on Alice.

When the basis of authentication states is a predefined first basis σ_(z), the entity Alice 10 may analyze the authentication states by separating the cases of the authentication state into two cases.

First, the case where two authentication states are identical to each other is taken into consideration. In this case, when a pair of normal measurement results appears, Alice 10 may determine that there is the intervention of an attacker. Second, the case where two authentication states are different from each other is taken into consideration. The number of cases (coincidence measurement events may be included in the cases) where only one detector reacts to the input state for which only pairs of normal measurement results must appear is statistically analyzed. Authentication may succeed only when the number of cases is lower than a dark count rate, otherwise it may be determined that there is the intervention of an attacker.

When the basis of the authentication state is a predefined second basis σ_(x), pairs of normal measurement results may be separated without overlapping each other, and thus Alice 10 may easily determine whether authentication has succeeded.

Since a verifier according to an embodiment of the present invention randomly prepares verification states and authentication states, an external attacker and a prover cannot make an attack by separating the verification states and the authentication states. In the results of measurement revealed by Charlie, the quantum measurement device 100, the authentication states and the verification states are not separated from each other, and thus it is possible to allow the verifier to determine whether the security of a channel is guaranteed and a middle attacker is present without leaking authentication information.

When the verifier is Alice 10, Alice 10 may be aware that a verification state prepared by Bob 20, who is the prover, uses a shared authentication key Ak. Therefore, Alice 10, who is the verifier, may check whether the results of measurement revealed by Charlie and the state prepared by the verifier satisfy the relationship of Table 3, thus determining the security of the channel. However, when the verifier is Bob, Bob may check whether the relationship of Table 3 is satisfied only by requesting information about the unique operator N related to a verification location from Alice, who is the prover, and by receiving the requested information.

In this case, error in detectors and a coincidence measurement event rate γ determined to be error due to difficulty in identifying a normal measurement may be represented by the following Equation (12):

γ≡½+u  (12)

Here, u denotes dark count rates indicating the error in detectors. u may be experimentally specified. In actual operations, when the total coincidence measurement event rate is calculated and is compared with a theoretical coincidence measurement event rate γ, the existence of a middle attacker or an internal attacker may be identified.

With the exception of coincidence measurement events according to an embodiment of the present invention, all measurement results available for verification may be defined as a total of ½−u+δ for all inputs. Here, δ denotes the probability that two different detectors will be measured at the same time due to dark counts, and pairs of normal measurement results ((D₁, D₂), (D₃, D₄), (D₁, D₃), or (D₂, D₄)) will be obtained. Since the probability δ that normal measurement result pairs will be obtained by dark counts have a relationship of 1»u»δ, δ may be negligible. Therefore, from the standpoint of security, the probability δ of occurrence of normal measurement result pairs attributable to errors is negligible.

A verification probability indicating the probability that an attacker will be identified in the verification state may be represented by Equation (13).

D=(1−γ)^(l)  (13)

In Equation 13, l denotes the number of verification states. According to Equation (13), γ<1 is satisfied, so that, when the number of verification states 1 is sufficiently large, D converges on ‘1’, thus enabling an attacker to be definitely detected.

FIG. 7 is a diagram illustrating a computer system according to an embodiment of the present invention.

Referring to FIG. 7, each of Alice 10 and the quantum measurement device 100 according to an embodiment of the present invention may be implemented in a computer system 1100, such as a computer-readable storage medium. As illustrated in FIG. 7, the computer system 1100 may include one or more processors 1110, memory 1130, a user interface input device 1140, a user interface output device 1150, and storage 1160, which communicate with each other through a bus 1120. The computer system 1100 may further include a network interface 1170 connected to a network 1180. Each processor 1110 may be a Central Processing Unit (CPU) or a semiconductor device for executing processing instructions stored in the memory 1130 or the storage 1160. Each of the memory 1130 and the storage 1160 may be any of various types of volatile or nonvolatile storage media. For example, the memory 1130 may include Read-Only Memory (ROM) 1131 or Random Access Memory (RAM) 1132.

The quantum entity authentication apparatus according to an embodiment of the present invention may include one or more processors, and execution memory 1130 for storing at least one program that is executed by the one or more processors 1110, wherein the at least one program is configured to prepare an authentication quantum state that is generated based on an authentication key previously shared with an entity, transmit a quantum state, generated by performing an operation using a prestored unique operator on the authentication quantum state, to a quantum measurement device, and verify security of a quantum channel by using a result of Bell measurement and the authentication quantum state, the result of Bell measurement being revealed by the quantum measurement device for the quantum state, and when security of the quantum channel is verified, authenticate the entity using the result of the Bell measurement and the unique operator.

The at least one program is configured to separate the authentication quantum state into a verification state for verifying the security of the quantum channel and an authentication state for authenticating the entity.

Here, the verification state may be configured such that an operation in which a Hadamard operator is included in the unique operator is performed on the verification state.

The at least one program may be configured to verify the security of the quantum channel depending on whether a quantum state, generated by performing the operation using the unique operator on the verification state, and a quantum state of the entity match the result of the Bell measurement.

Here, the quantum measurement device may reveal a result of Bell measurement by a detector reacting to an input quantum state, among multiple detectors, using a polarization beam splitter that receives the input quantum state.

Here, when two quantum states are input, the quantum measurement device may decompose the two quantum states into four Bell states, and may reveal the result of the Bell measurement from which coincidence measurement events in multiple detectors are excluded.

The at least one program is configured to receive a location of the verification state from the entity and transmit information about a unique operator used to perform an operation at the location of the verification state to the entity.

The at least one program is configured to authenticate the entity depending on whether a quantum state, generated by performing the operation using the unique operator on the authentication state, and the quantum state of the entity match the result of the Bell measurement.

The at least one program is configured to receive a location of the authentication state from the entity and transmit information about the unique operator used to perform an operation at the location of the authentication state to the entity.

The at least one program is configured such that the entity authenticates an additional entity that requests authentication based on the quantum state of the entity, the unique operator used to perform the operation at the location of the authentication state, the result of the Bell measurement, and the previously shared authentication key.

The at least one program is configured to, in a case where a basis of the authentication state is a predefined first basis, if the entity and the additional entity have an identical authentication state and a pair of normal measurement results is derived as the result of the Bell measurement, determine that the additional entity is intervention of an attacker.

The at least one program is configured to, if the entity and the additional entity have different authentication states and a coincidence measurement event occurs, compare dark count rates and then authenticate the additional entity.

The at least one program is configured to, in a case where a basis of the authentication state is a predetermined second basis, separate the result of the Bell measurement depending on whether the entity and the additional entity have an identical authentication state, and then authenticate the additional entity.

The present invention may guarantee the security of quantum entity authentication even if a measurement device is exposed to an attacker or the measurement device is not trusted.

Further, the present invention may provide quantum entity authentication secure against a side-channel attack on a measurement device.

Furthermore, the present invention may provide authentication service to MDI-QKD based on high compatibility with MDI-QKD.

As described above, in the quantum entity authentication apparatus and method according to the present invention, the configurations and schemes in the above-described embodiments are not limitedly applied, and some or all of the above embodiments can be selectively combined and configured so that various modifications are possible. 

What is claimed is:
 1. A quantum entity authentication apparatus comprising: a quantum state preparation unit for preparing an authentication quantum state that is generated based on an authentication key previously shared with an entity; a quantum channel verification unit for transmitting a quantum state, generated by performing an operation using a prestored unique operator on the authentication quantum state, to a quantum measurement device, and for verifying security of a quantum channel by using a result of Bell measurement and the authentication quantum state, the result of the Bell measurement being revealed by the quantum measurement device for the quantum state; and a quantum entity authentication unit for, when the security of the quantum channel is verified, authenticating the entity using the result of the Bell measurement and the unique operator.
 2. The quantum entity authentication apparatus of claim 1, wherein the quantum state preparation unit separates the authentication quantum state into a verification state for verifying the security of the quantum channel and an authentication state for authenticating the entity.
 3. The quantum entity authentication apparatus of claim 2, wherein the quantum channel verification unit verifies the security of the quantum channel depending on whether a quantum state, generated by performing the operation using the unique operator on the verification state, and a quantum state of the entity match the result of the Bell measurement.
 4. The quantum entity authentication apparatus of claim 3, wherein the quantum entity authentication unit authenticates the entity depending on whether a quantum state, generated by performing the operation using the unique operator on the authentication state, and the quantum state of the entity match the result of the Bell measurement.
 5. The quantum entity authentication apparatus of claim 3, wherein the verification state is configured such that an operation in which a Hadamard operator is included in the unique operator is performed on the verification state.
 6. The quantum entity authentication apparatus of claim 1, wherein the quantum measurement device reveals a result of Bell measurement by a detector reacting to an input quantum state, among multiple detectors, using a polarization beam splitter that receives the input quantum state.
 7. The quantum entity authentication apparatus of claim 6, wherein the quantum measurement device is configured to, when two quantum states are input, decompose the two quantum states into four Bell states, and reveal the result of the Bell measurement from which coincidence measurement events in any one detector are excluded.
 8. The quantum entity authentication apparatus of claim 4, wherein the quantum channel verification unit receives a location of the verification state from the entity and transmits information about a unique operator used to perform an operation at the location of the verification state to the entity.
 9. The quantum entity authentication apparatus of claim 8, wherein the quantum entity authentication unit receives a location of the authentication state from the entity and transmits information about the unique operator used to perform an operation at the location of the authentication state to the entity.
 10. The quantum entity authentication apparatus of claim 9, wherein the entity authenticates an additional entity that requests authentication based on the quantum state of the entity, the unique operator used to perform the operation at the location of the authentication state, the result of the Bell measurement, and the previously shared authentication key.
 11. A quantum entity authentication method performed by a quantum entity authentication apparatus, the quantum entity authentication method comprising: preparing an authentication quantum state that is generated based on an authentication key previously shared with an entity; transmitting a quantum state, generated by performing an operation using a prestored unique operator on the authentication quantum state, to a quantum measurement device, and verifying security of a quantum channel by using a result of Bell measurement and the authentication quantum state, the result of the Bell measurement being revealed by the quantum measurement device for the quantum state; and when the security of the quantum channel is verified, authenticating the entity using the result of the Bell measurement and the unique operator.
 12. The quantum entity authentication method of claim 11, wherein preparing the authentication quantum state is configured to separate the authentication quantum state into a verification state for verifying the security of the quantum channel and an authentication state for authenticating the entity.
 13. The quantum entity authentication method of claim 12, wherein verifying the security of the quantum channel is configured to verify the security of the quantum channel depending on whether a quantum state, generated by performing the operation using the unique operator on the verification state, and a quantum state of the entity match the result of the Bell measurement.
 14. The quantum entity authentication method of claim 13, wherein authenticating the entity is configured to authenticate the entity depending on whether a quantum state, generated by performing the operation using the unique operator on the authentication state, and the quantum state of the entity match the result of the Bell measurement.
 15. The quantum entity authentication method of claim 13, wherein the verification state is configured such that an operation in which a Hadamard operator is included in the unique operator is performed on the verification state.
 16. The quantum entity authentication method of claim 11, wherein verifying the security of the quantum channel is configured such that the quantum measurement device reveals a result of Bell measurement by a detector reacting to an input quantum state, among multiple detectors, using a polarization beam splitter that receives the input quantum state.
 17. The quantum entity authentication method of claim 16, wherein verifying the security of the quantum channel is configured to, when two quantum states are input to the quantum measurement device, decompose the two quantum states into four Bell states and reveal the result of the Bell measurement from which coincidence measurement events in multiple detectors are excluded.
 18. The quantum entity authentication method of claim 14, wherein verifying the security of the quantum channel is configured to receive a location of the verification state from the entity and transmit information about a unique operator used to perform an operation at the location of the verification state to the entity.
 19. The quantum entity authentication method of claim 18, wherein authenticating the entity is configured to receive a location of the authentication state from the entity and transmit information about the unique operator used to perform an operation at the location of the authentication state to the entity.
 20. The quantum entity authentication method of claim 19, wherein authenticating the entity is configured such that the entity authenticates an additional entity that requests authentication based on the quantum state of the entity, the unique operator used to perform the operation at the location of the authentication state, the result of the Bell measurement, and the previously shared authentication key.
 21. The quantum entity authentication method of claim 20, wherein authenticating the entity is configured to, in a case where a basis of the authentication state is a predefined first basis, if the entity and the additional entity have an identical authentication state and a pair of normal measurement results is derived as the result of the Bell measurement, determine that the additional entity is intervention of an attacker.
 22. The quantum entity authentication method of claim 21, wherein authenticating the entity is configured to, if the entity and the additional entity have different authentication states and a coincidence measurement event occurs, compare dark count rates and then authenticate the additional entity.
 23. The quantum entity authentication method of claim 20, wherein authenticating the entity is configured to, in a case where a basis of the authentication state is a predetermined second basis, separate the result of the Bell measurement depending on whether the entity and the additional entity have an identical authentication state, and then authenticate the additional entity. 